Reporting a vulnerability
The security of our modules and our customers is paramount. That's why we encourage security researchers to carry out analyses on our modules and to report any identified vulnerabilities to us, in line with good practice in responsible disclosure.
We are committed to identifying and correcting any vulnerabilities, and to communicating transparently with stakeholders throughout the process.
If you think you have discovered a vulnerability in one of our modules, you can report it to us responsibly at :
modules-security [at] dream-me-up.fr
Only requests that have been submitted encrypted with our public GPG key will be processed directly, otherwise a refusal message may be sent to you to repeat your request.
Please provide as much detail as possible:
- Detailed description of the nature of the identified vulnerability,
- Assessment of the impact and potential consequences for users or sites,
- Relevant version of the module containing the vulnerability,
- Steps taken to reproduce the problem,
- Evidence such as screenshots or relevant code extracts.
Please note that non-reproducible findings or findings not directly related to our modules are ignored.
Our vulnerability management policy
In accordance with the TouchWeb Charter for Responsible Cyber Security, our team applies the following principles:
- Acknowledgement of receipt of all relevant reports within a maximum of 7 days. (CVSS ≥ 6.0),
- Impact analysis and planning of a patch within 30 days maximum,
- Publication of a security advisory with CVE if the CVSS score is ≥ 7.5,
- No patch will be published silently.
In parallel, we make the following commitments to ensure responsible and ethical management of vulnerabilities:
- Not to prosecute researchers acting in good faith, in particular in the context of the YesWeHack programme managed by TouchWeb SAS,
- Guarantee that no confidentiality agreement, including white label agreements, can hinder the transparent publication of a security advisory with a CVE identifier, in compliance with the state of the art.
We are well aware that this transparency is essential to enable the third parties concerned (agencies, merchants, etc.) to meet their compliance obligations, particularly in the context of the PCI-DSS standard or one of its lighter versions, such as SAQ-A.
Authorisation for publication
We expressly authorise TouchWeb SAS to publish information relating to the corrected vulnerabilities of our modules on its official website, in accordance with the commitments of the Responsible Cybersecurity Charter.
This publication includes :
- A CVE identifier associated with the vulnerability.
- A security note clearly describing the problem and its resolution.
- The versions affected and the corrected version.
- An easy-to-deploy patch when updating is not possible.
- Any useful information enabling users and agencies to protect themselves quickly.
Publication
Below is a list of known and corrected security vulnerabilities:
| Date | Module | Version | CWE | CVSS | CVE | |
| Impacted | Corrected | |||||
| - | - | - | - | - | - | - |
No publication to date.